<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>Apache module mod_auth</TITLE>
</HEAD>

<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<BODY
 BGCOLOR="#FFFFFF"
 TEXT="#000000"
 LINK="#0000FF"
 VLINK="#000080"
 ALINK="#FF0000"
>
<!--#include virtual="header.html" -->

<H1 ALIGN="CENTER">Module mod_auth</H1>

This module is contained in the <CODE>mod_auth.c</CODE> file, and
is compiled in by default. It provides for user authentication using
textual files.


<MENU>
<LI><A HREF="#authgroupfile">AuthGroupFile</A>
<LI><A HREF="#authuserfile">AuthUserFile</A>
<LI><A HREF="#authauthoritative">AuthAuthoritative</A>
</MENU>
<HR>


<H2><A NAME="authgroupfile">AuthGroupFile</A></H2>
<!--%plaintext &lt;?INDEX {\tt AuthGroupFile} directive&gt; -->
<A
 HREF="directive-dict.html#Syntax"
 REL="Help"
><STRONG>Syntax:</STRONG></A> AuthGroupFile <EM>filename</EM><BR>
<A
 HREF="directive-dict.html#Context"
 REL="Help"
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
<A
 HREF="directive-dict.html#Override"
 REL="Help"
><STRONG>Override:</STRONG></A> AuthConfig<BR>
<A
 HREF="directive-dict.html#Status"
 REL="Help"
><STRONG>Status:</STRONG></A> Base<BR>
<A
 HREF="directive-dict.html#Module"
 REL="Help"
><STRONG>Module:</STRONG></A> mod_auth<P>

The AuthGroupFile directive sets the name of a textual file containing the list
of user groups for user authentication. <EM>Filename</EM> is the path
to the group file.  If it is not absolute (<EM>i.e.</EM>, if it
doesn't begin with a slash), it is treated as relative to the ServerRoot.
<P>
Each line of the group file contains a groupname followed by a colon, followed
by the member usernames separated by spaces. Example:
<BLOCKQUOTE><CODE>mygroup: bob joe anne</CODE></BLOCKQUOTE>
Note that searching large text files is <EM>very</EM> inefficient;
<A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A> should
be used instead.<P>

Security: make sure that the AuthGroupFile is stored outside the
document tree of the web-server; do <EM>not</EM> put it in the directory that
it protects. Otherwise, clients will be able to download the AuthGroupFile.<P>

See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
<A HREF="#authuserfile">AuthUserFile</A>.<P><HR>

<H2><A NAME="authuserfile">AuthUserFile</A></H2>
<!--%plaintext &lt;?INDEX {\tt AuthUserFile} directive&gt; -->
<A
 HREF="directive-dict.html#Syntax"
 REL="Help"
><STRONG>Syntax:</STRONG></A> AuthUserFile <EM>filename</EM><BR>
<A
 HREF="directive-dict.html#Context"
 REL="Help"
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
<A
 HREF="directive-dict.html#Override"
 REL="Help"
><STRONG>Override:</STRONG></A> AuthConfig<BR>
<A
 HREF="directive-dict.html#Status"
 REL="Help"
><STRONG>Status:</STRONG></A> Base<BR>
<A
 HREF="directive-dict.html#Module"
 REL="Help"
><STRONG>Module:</STRONG></A> mod_auth<P>

The AuthUserFile directive sets the name of a textual file containing
the list of users and passwords for user
authentication. <EM>Filename</EM> is the path to the user
file. If it is not absolute (<EM>i.e.</EM>, if it doesn't begin with a
slash), it is treated as relative to the ServerRoot.
<P> Each line of the user file file contains a username followed
by a colon, followed by the crypt() encrypted password. The behavior
of multiple occurrences of the same user is undefined.
<P>
The utility <code>htpasswd</code> which is installed as part of the
binary distribution, or which can be found in <code>src/support</code>,
is used to maintain this password file. See the <code>man</code>
page for more details. In short
<p>
<blockquote>
	<code>htpasswd -c Filename username</code><br>
	Create a password file 'Filename' with 'username'
	as the initial ID. It will prompt for the password.
	<code>htpasswd Filename username2</code><br>
	Adds or modifies in password file 'Filename' the 'username'.
</blockquote>
<P> Note that
searching large text files is <EM>very</EM> inefficient;
<A HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A> should be
used instead.
<P>

Security: make sure that the AuthUserFile is stored outside the
document tree of the web-server; do <EM>not</EM> put it in the directory that
it protects. Otherwise, clients will be able to download the AuthUserFile.<P>

See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
<A HREF="#authgroupfile">AuthGroupFile</A>.<P>
<HR>
<H2><A NAME="authauthoritative">AuthAuthoritative</A></H2>
<!--%plaintext &lt;?INDEX {\tt AuthAuthoritative} directive&gt; -->
<A
 HREF="directive-dict.html#Syntax"
 REL="Help"
><STRONG>Syntax:</STRONG></A> AuthAuthoritative &lt;
 <STRONG> on</STRONG>(default) | off &gt; <BR>
<A
 HREF="directive-dict.html#Context"
 REL="Help"
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
<A
 HREF="directive-dict.html#Override"
 REL="Help"
><STRONG>Override:</STRONG></A> AuthConfig<BR>
<A
 HREF="directive-dict.html#Status"
 REL="Help"
><STRONG>Status:</STRONG></A> Base<BR>
<A
 HREF="directive-dict.html#Module"
 REL="Help"
><STRONG>Module:</STRONG></A> mod_auth<P>

Setting the AuthAuthoritative directive explicitly to <STRONG>'off'</STRONG>
allows for both authentication and authorization to be passed on to
lower level modules (as defined in the <CODE>Configuration</CODE> and
<CODE>modules.c</CODE> files) if there is <STRONG>no userID</STRONG> or
<STRONG>rule</STRONG> matching the supplied userID. If there is a userID and/or
rule specified; the usual password and access checks will be applied
and a failure will give an Authorization Required reply.

<P>

So if a userID appears in the database of more than one module; or if
a valid require directive applies to more than one module; then the
first module will verify the credentials; and no access is passed on;
regardless of the AuthAuthoritative setting.

<P>

A common use for this is in conjunction with one of the database
modules; such as <A
HREF="mod_auth_db.html"><CODE>mod_auth_db.c</CODE></A>, <A
HREF="mod_auth_dbm.html"><CODE>mod_auth_dbm.c</CODE></A>, 
<CODE>mod_auth_msql.c</CODE>, and <A
HREF="mod_auth_anon.html"><CODE>mod_auth_anon.c</CODE></A>. These modules
supply the bulk of the user credential checking; but a few
(administrator) related accesses fall through to a lower level with a
well protected AuthUserFile.

<P>

<A
 HREF="directive-dict.html#Default"
 REL="Help"
><STRONG>Default:</STRONG></A> By default; control is not passed on; and an
 unknown
userID or rule will result in an Authorization Required reply. Not
setting it thus keeps the system secure; and forces an NCSA compliant
behaviour.

<P>

Security: Do consider the implications of allowing a user to allow
fall-through in his .htaccess file; and verify that this is really
what you want; Generally it is easier to just secure a single
.htpasswd file, than it is to secure a database such as mSQL. Make
sure that the AuthUserFile is stored outside the document tree of the
web-server; do <EM>not</EM> put it in the directory that it
protects. Otherwise, clients will be able to download the
AuthUserFile.

<P>
See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
<A HREF="#authgroupfile">AuthGroupFile</A>.<P>

<!--#include virtual="footer.html" -->
</BODY>
</HTML>

